Cybersecurity is becoming an essential pillar of medical device design, and it’s important to find the right strategies to validate and verify your products are secure.
Michael Lynch and Delmar Howard, Intertek
The growth of connected environments has put medical devices at the forefront of the cybersecurity and patient data movement. As more of these devices are brought online there is an increased risk of hackers looking for targets that have, in the past, had a very lax standard for security. As shown by several high-profile exploits, the industry appears to still be catching up when addressing security concerns.
Fortunately, there are many industry guidance documents available, but sorting through them and identifying the most effective can be daunting. Almost all directives from the FDA concerning cybersecurity are nonbinding, which can make it difficult to confidently identify the most effective way to implement a verification and validation process. The exception is the premarket submission process, which requires documentation on how cybersecurity is implemented.
For many device manufacturers, the difficulty is not only in identifying standards to follow but which apply to their specific product. Ensuring the chosen framework can scale as the device is updated and changed is also a challenge. Updates – or a lack thereof – can be challenging because of the possibility of introducing new vulnerabilities. Cybersecurity is rarely a rigid checklist that applies to all industries. In many cases, third-party help is required given the large number of complementary guidance documents available.
One of the most comprehensive guidance documents available is the Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology (NIST). This is one of the most effective documents to lay the groundwork for cybersecurity implementation. The “Identify, Protect, Detect, Response & Recover” framework core is referenced throughout the industry and allows device manufacturers to consistently identify gaps in their processes through risk-based implementation.
Utilizing an Information Sharing & Analysis Organization (ISAO) can help gather and identify industry threats and can be an effective solution for keeping a baseline of security throughout the design and post-market cycle by leveraging the overall knowledge of the group. Participating with an ISAO also helps meet the FDA guidance on postmarket cybersecurity.
There are many regulations that medical devices must adhere to. The EU’s General Data Protection Regulation is one of the most stringent, requiring immediate action. Effective May of 2018, the GDPR will change from a directive to a regulation, which is a stronger form a legislation. Some of the key considerations for medical devices are breach notification – in which users must be notified of a breach within 72 hours – and privacy by design, requiring privacy considerations when a product is designed. Both requirements align with generally effective cybersecurity design practices and should be part of the ongoing validation and review process.
In its final premarket guidance, the FDA is now looking for a cybersecurity plan, as well as data to back it up. Specifically, device manufacturers must identify cybersecurity risks, provide a traceability matrix and give a summary of controls created in the design of the device.
Verification & validation
After considering the applicable guidance and regulations for a device, it’s important to conduct verification and validation activities to illustrate security is in place. When running verification and validation on connected medical electrical equipment, it’s important to take a two-prong approach, examining both the software and hardware of a device:
- Software: Medical device manufacturers spend large amounts of time on hardware development, but software development is less structured. Manufactures should include robust requirements for validation. The adoption of IEC 62304 is a good start to ensure that software validation has equal consideration in the design phase. While IEC 62304 doesn’t identify specific tools to use; it provides a robust framework for verification and validation throughout the software development process.
Ongoing cybersecurity risk assessments and static analysis are key ways to help mitigate zero-day-style exploits on hardware and software. This is especially important within environments using Software of Unknown Provenance (SOUP). When devices enter a hospital environment, they can be placed somewhere not specifically intended for them to operate. Testing within a mixed interoperability environment can help mitigate some of these issues by better understanding various connections and network features common in a real-world environment.
For example, Intertek has created virtual offices that include several hundred unique devices that can emulate a live hospital environment. With large-scale emulated environments, it is easier to test patches and identify potential limitations without subjecting customers and patients to potential harm.
- Hardware: Addressing hardware security during the design & development phase goes well beyond simply testing and validating. Hardware has the disadvantage of not being able to be updated easily once delivered to a customer. To combat this, it’s essential to avoid activating ports that are not required to function and ensuring each piece of hardware has a unique ID and login implementation.
Additionally, it’s critical to make sure features not in use are either disabled or removed from the device, prior to it being introduced to a live environment, especially when outsourcing. Some hardware chips can be activated using physical access and, in rare cases, can be activated through software.
The UL-2900 standards are a good starting point; however meeting all of the requirements requires already having an effective documentation and validation process; it’s a good guideline for internal teams to work towards before opening up for a third party audit.
Increased breaches revealing personally identifiable information have made designing security into medical devices and their accompanying software required for all 510k submissions to the FDA in the US and through regulations such as GDPR in the EU. Having an effective validation and verification plan during the design phase has been a requirement for bringing medical devices to the market for twenty years. Adding cybersecurity to that plan is essential for any connected device.
Michael Lynch is managing consultant and Delmar Howard is performance testing program manager at Intertek (London).